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Abstract—The Internet of Things (loT) is experiencing explosive growth and has gained extensive attention from academia and 
industry in recent years. However, most of the existing loT infrastructures are centralized, which may cause the issues of unscalability 
and single-point-of-failure. Consequently, decentralized loT has been proposed by taking advantage of the emerging technology called 
blockchain. Voting systems are widely adopted in loT, for example a leader election in wireless sensor networks. Self-tallying voting 
systems are alternatives to unsuitable, traditional centralized voting systems in decentralized loT. Unfortunately, self-tallying voting 
systems inherently suffer from fairness issues, such as adaptive and abortive issues caused by malicious voters. To address these 
issues, in this paper, we introduce a framework of the self-tallying voting system in decentralized loT based on blockchain. We propose 
a concrete construction and prove that the proposed system satisfies all the security requirements, including fairness, dispute-freeness 
and maximal ballot secrecy. We simulate the algorithms on a laptop, an Android phone and a Raspberry Pi to test the time 
consumption and evaluate the gas cost of each algorithm in a private blockchain as well. The implementation results demonstrate the 


practicability of our system. 


Index Terms—lInternet-of-things, E-voting, Self-tallying, Blockchain, Zero-knowledge proof. 
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1 INTRODUCTION 


ie Internet of Things (IoT) is a system comprised of 
smart devices, actuators, sensors and other objects that 
are connected throughout the network with the ability to 
transfer data, share resources and make decisions without 
man-to-man or man-to-device interaction. IoT has gained 
extensive attention in industrial communities and the IoT 
market is expected to reach $500 billion by 202¢)] Organi- 
zations in various industries utilize IoT for better efficiency, 
convenience and service |*| Besides the well-known appli- 
cations of smart cities and smart homes, IoT has potential 
in many other public and private applications, such as 
manufacturing, agriculture, transportation, and healthcare. 
In recent years, some new extensions of IoT are proposed 
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1. Driving Unconventional Growth Through the Industrial Internet 
of Things. https:/ /www.accenture.com/t20150523T023633Z__w__/us- 


catering to specific needs in different scenarios, such as HoT 
and NB-IoT. 

Most of the IoT implementations are with centralized 
infrastructure. Specifically, the devices are linked to the 
cloud, controlled by a central hub and communicated by 
C/S models, which is subject to several issues. Firstly, all 
devices in the system are identified and authenticated by the 
central server, which requires a huge processing capacity. 
Secondly, centralization induces irrational use of resources, 
since the connections and communications among devices 
are exclusively through the server, even if they are close to 
one another. Thirdly, centralized frameworks suffer single- 
point-of-failure issues. 

To overcome the bottleneck of the centralized framework 
in IoT, the notion of decentralized IoT was proposed. A 
decentralized paradigm of IoT is promising to solve many 
issues of a centralized IoT. However, establishing such a 
framework is quite challenging] Blockchain is an emerging 
technology, which is a public ledger that achieves decen- 
tralization through cryptographic tools and consensus. With 
blockchain, communications between machines and sensors 
become easy and effortless. Due to the desirable features, 
blockchain has many impressive applications [38], [39], 
[40], [41], [42]. A majority of decentralized IoT leverages 
Blockchain [44] to build the_underlying P2P network. A 
San Francisco startup Heliun('|has built a blockchain-based 
machine network for IoT] 


en/_acnmedia/ Accenture /Conversion-Assets/DotCom/Documents/Global¥. https:/ /techcrunch.com/2016/06/28/decentralizing-iot- 


PDF/Dualpub_11/Accenture-Driving-Unconventional-Growth- 
through-IIoT.pdfla=en 

2. https: / /internetofthingsagenda.techtarget.com/ definition /Internet- 
of-Things-IoT 


networks-through-blockchain/ 

4. https:/ /www.helium.com/ 

5. https: / /internetofbusiness.com/helium-blockchain-machine- 
network-iot-unleashed/ 
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Voting systems and decentralized IoT. Voting systems have 
wide applications in IoT. Two typical examples are provided 
here. 1) Leader election in decentralized IoT. Leader elec- 
tions are one of the most common and important activities 
in a decentralized IoT, such as wireless sensor networks [B]. 
The goal of a leader election is to designate a special node 
as an organizer to coordinate tasks in distributed nodes, 
breaking the inner symmetry in distributed systems. The 
peers in the network communicate among themselves to 
vote for a leader. 2) Decision making in IoT systems. One 
of the most salient features of IoT systems is to collect 
data and make smarter decisions via voting accordingly 
f To measure the data of the surrounding environment, 
such as the temperature, density, etc, in industrial processes, 
redundant sensors will be deployed. Devices measure vari- 
ous types of data and leverage diverse methods to analyze 
data, which may lead to a different opinion to a specific 
decision. Then, devices vote for a final decision. Take the 
environmental health IoT as an example, which comprises 
some smart phones with apps to acquire the environmental 
parameters, including temperature, humidity, noise, and 
dust, with high accuracy. All parameters are closely related 
to people’s health. Thus, environmental health IoT is an 
important reference for healthcare. The smart devices within 
an environmental health IoT collaborate to make decisions 
to check whether the current environment is suitable to live 
or work in. 

Traditional voting systems with a central party organiz- 
ing the voting activities are unsuitable for a decentralized 
IoT framework. As an alternative, self-tallying schemes 
were proposed, which does not need a third party to tally 
the ballots and reveal the final result. Instead, after all the 
voters cast the ballots, anyone can collect the ballots and 
compute the final results simultaneously. However, self- 
tallying schemes inherently suffer from fairness issues, in 
the sense that a malicious voter (sensor) can collect other 
voters’ ballots to compute the final result before casting 
his/her own ballot. That is, they can know the final result 
ahead of schedule. Moreover, a voter may refuse to reveal 
his ballot, making it hard to obtain the final result due to an 
abortive issue. 

Our Contributions. As a consequence, in this paper, 
we aim to improve the fairness of blockchain-based self- 
tallying systems for decentralized IoT. The contributions of 
this paper are listed as follows. 


1) We formalize the system model of self-tallying vot- 
ing systems based on blockchain in decentralized 
IoT. 

2) We propose a concrete construction of a blockchain- 
based self-tallying voting protocol in decentralized 
IoT, and prove that it satisfies fairness, dispute- 
freeness, and maximal ballot secrecy. Specifically, in 
our construction, we modify the commitment in 
and the recovery phase in to handle abortive 
issues, and suggest that using timed commitment 
to deal with adaptive issues in self-tallying voting 
schemes. 


2 


3) We implement the proposed protocol on a laptop, a 
mobile phone and Raspberry Pi respectively to test 
the time consumption. The gas cost is also evaluated 
on a private blockchain. The implementation results 
demonstrate its practicality in real-world applica- 
tions. 


Organization. The rest of the paper is organized as follows. 
We review the related work and provide some preliminaries 
in Sec. P|and Sec. | respectively. The system and security 
models are presented in Sec. |4| We build a fair blockchain- 
based self-tallying voting system for decentralized IoT in 
Sec. [bjand the security proofs are provided in section|6| The 
performance of the proposed protocol is illustrated in Sec. 
Finally, we conclude the paper in Sec. [8] 


2 RELATED WORK 


Blockchain-based IoT solutions. Resource constraint, stor- 
age limitation and security are the main hindrances for IoT 
systems. Researchers and companies have explored the po- 
tential of blockchain in IoT systems, with the topics focusing 
on different aspects of IoT, such as device management, 
access control, supply chain, IoT security review and so on 
[4], pl. Several solutions require additional off-chain 
storage [8], [9]. Some of the solutions integrate cloud to the 
blockchain-based IoT, in which blockchain is the overlay of 
the systems but they are not fully decentralized [8], [11]. 
Some solutions leverage private blockchains and eliminate 
the proof-of-work [8], [10], [12]. Aiming to IoT, present- 
ed a blockchain platform for IoT based on the distributed 
app (DApp), which could be applicable to industrial and 
manufacturing applications. Slock|’| a German startup, uses 
smart contracts to manage the lock of real-world property 
and achieves fair exchange between users directly. More 
potential solutions to IoT issues of blockchain can be found 
in (14). 

Self-tallying e-voting. E-voting is a flourishing and fade- 
less topic in academic research. In traditional centralized 
e-voting protocols, a central authority is usually involved in 
organizing the election and counting the votes. To achieve 
stronger voter privacy, Kiayias and Yung proposed the 
notion of self-tallying voting, which is a new paradigm 
in decentralized e-voting systems. In self-tallying systems, 
tallying is an open procedure in which any party, includ- 
ing voters and observers, can validate of each ballot and 
compute the final voting result after collecting all the valid 
ballots. They proposed the first concrete construction by 
leveraging a bulletin board, which achieves perfect ballot 
privacy and dispute-freeness, but the computational cost is 
linear with the number of voters. Groth et al. proposed 
a simpler scheme with better efficiency for each voter. 
They also constructed an anonymous broadcast channel 
with perfect message secrecy at the cost of increased round 
complexity of the protocol, which needs n + 1 rounds for 
n voters. Hao et al. proposed a self-tallying voting pro- 
tocol based on a two-round anonymous veto protocol (AV- 
net). Their protocol provides the same security properties 
and achieves better efficiency in terms of round complexity. 
Khader et al. claimed that is neither robust nor fair, 


6. http: / /healthandlearning.org/wp-content /uploads/2017/04/Decision- 


Making-Models-Voting-versus-Consensus.pdf 


7. Slock.it. https://slock.it. 
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and advanced the protocol by adding a commitment phase 
and a recovery round. However, the commitment phase is 
expensive and the recovery phase ignores the ballots of the 
abortive voters in their construction. 

Blockchain-based e-voting systems. There are already some 
existing works on blockchain-based e-voting protocols. The 
role of blockchain in e-voting protocols varies from scheme 
to scheme. Most of the works incorporate blockchain with 
bulletin boards and still employ a trusted authority for voter 
privacy, such as Follow My Vot] and Tvi] Some of the 
existing works are based on cryptocurrencies, such as Bit- 
coin and privacy-enhacing altcoins 22}. Takabatake 
et al. [31] proposed a voting protocol based on Zerocoin 
to enhance voter privacy. In_2017, McCorry et al. p- 
resented Open Vote Network" ]?| the first implementation 
of a decentralized self-tallying e-voting protocol based on 
blockchain. The commitment in is the hash of the vote, 
which is irrecoverable if a voter refuses to cast his ballot 
in the voting phase. Netvote |”|is a decentralized voting 
platform on Ethereum. The users can download the DApp 
to interact with the system in order to vote. 


3 PRELIMINARIES 


In this section, we provide some preliminaries used in 
our construction. 


3.1 Intractable assumptions 


1) Discrete Logarithm (DL) Assumption. 


Let À be a security parameter and G =< g > denotes 
a cyclic group of prime order p. DL problem is that, 
given a tuple (g, g°) € G to output a € Zp, where Z, is the 
set of non-negative integers smaller than p. DL assumption 
holds if for any polynomial-time algorithm A, the following 
advantage Adv®" is negligible in À, 
Adv?E(A) = Pr[ A(g, 9°) > a| 


2) Decisional Diffie-Hellmam (DDH) Assumption 

Let À be a security parameter and G =< g > denotes 
a cycle group of prime order p. DDH problem states 
that given a tuple (g, g°, 9, g’-™'t*°) € G and output 
x € {0,1}. DDH assumption holds if for any polynomial- 


time algorithm C, the following advantage Adv?P™(A) is 
negligible in À. 


Adve™(a) = |Pr|c(g,9",9°, 9") =1] -Pr [Cl 9,9, 9°) =| 


8. https: / /followmyvote.com/ 
9. https://tivi.io/ 


3.2 Distributed ElGamal encryption 


ElGamal encryption is semantically secure under the 
DDH assumption. Another merit of ElGamal encryption is its 
inherent homomorphism. The ciphertexts of mo,mi can be 
easily aggregated to obtain the ciphertext of mom1. A distribut- 
ed ElGamal cryptosystem is a generalization of ElGamal 
encryption, which contains the following algorithms. 

Setup. Suppose there are n users in the system, and the key 
pairs of the i-th user are («;, y; = g**). Each user publishes his 
public key, and the common public key can be generated in a 
distributed manner |29| as y = [| yi. 

i=l 

Enc. To encrypt a message m, randomly choose r and 
compute a ciphertext (c1, c2) of mas (g",y"-g™). 

Dec. Each user computes and broadcasts the partial decryp- 
tion key cj‘. Then the decryption can be done by computing 


n 
m Čin zıt -+e 
g = o/| [a =a/a Tia 
i=l 


3.3 Commitment 


A commitment scheme allows a user to commit to a selected 
statement, which is hidden to others during the Commit phase, 
but can be revealed by the user in the Open phase. A commit- 
ment scheme owns the following two properties (30): 


e Binding. The committer cannot change the statement 
after he commits to the statement. 

e Hiding. The receiver knows nothing about the commit- 
ted statement before the committer opens the commit- 
ment. 


3.4 Zero-knowledge proof of knowledge and ÈX- 
protocol 


Let R = (x, w) be a binary relation, where x is the common 
input and w is a witness. A zero-knowledge proof of knowledge 
is a protocol in which a prover P proves to a verifier V that it 
knows a witness w for which (z,w) € R without revealing 
anything. 

A &-Protocol is a way to design an efficient zero-knowledge 
proof. A protocol is a &:-Protocol for relation R if it has 3-move 
as shown in Fig}1| 1) P sends a commitment a to V. 2) V sends 
a random t-bit challenge e to P. 3) P sends a response r, and V 
decides to accept or reject based on the verification algorithm. 
A &-protocol has the following properties. 


Prover Verifier 
(random Sp) (random Sy) 
((v, w) E€ R) (vE LR) 


a =a(v,w, Sp) 


r = p(v,w,e, Sp) 


Fig. 1. &-Protocol 


10. http:/ /www.smartmatic.com/fileadmin/user_upload/Whitepaper_Online_ 


Voting_Challenge_Considerations_TIVI. pdf 

11. https://github.com/stonecoldpat/anonymousvoting 

12. https:/ /ethereumfoundation.org /devcon3/sessions/the-open- 
vote-network-decentralised-internet-voting-as-a-smart-contract/ 

13. https://citizendata.network/netvote/. 


e Completeness. If P and V follow the protocol on input 
x and w, where («,w) € R, the verifier always accepts 
the prover’s proof. 
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e Special soundness. For any x and any accepting conver- 
sations on x with the same commitment a and different 
challenges (a, e,r) and (a, e’,r’), where e # e’, one can 
efficiently extract w such that (x, w) € R. 

e Honest verifier zero-knowledge (HVZK). There is a 
polynomial-time simulator, which on input z and a chal- 
lenge e outputs an accepting conversation with the form 
(a, e,r), which has the same probability distribution as 
conversations between the honest P and VY on input 7z. 


The special soundness property implies that the error prob- 
ability of this proof system is always 5 

A &-protocol is efficient to prove AND, OR and arbitrary 
combinations of AND/OR statements. More details can be 


found in (26], (32), [33], B4. 


3.5 Blockchain 


Blockchain was proposed in 2008 as the backbone 
technology of cryptocurrencies to achieve decentralization. 
Blockchain is a public ledger that records all the modifications 
in the system as transactions. The logged transactions cannot be 
removed and can be accessed by all legitimate users in the sys- 
tem. In a nutshell, the blockchain system works as follows. Each 
user gets a public-secret key pair in the system, in which the 
public keys are the users’ identities. Users in blockchain system 
can conduct transactions, which include the details of the mod- 
ification to the system, some necessary information (timestamp 
and etc.) and a signature. The validation of the transactions can 
be checked with the corresponding public keys. Miners choose 
some transactions from the mining pool and generate a block. 
The block can be logged into the blockchain when the miners 
solve some pre-defined hard problems such as proof-of-work. 
The blocks are broadcast to all the users in the system once it 
is onchain. Blockchains can be classified into three categories, 
namely public blockchains, consortium blockchains and private 
blockchains. In public blockchains, users can freely join or leave 
the system, such as the bitcoin blockchain |1] and Ethereum [2]. 
In consortium blockchains and private blockchains, users need 
approval to enroll in the system. 


4 SYSTEM AND SECURITY MODEL 


In this section, we describe the system model of the 
blockchain-based self-tallying voting system for decentralized 
IoT and list the necessary security requirements and the securi- 
ty model of a self-tallying voting protocol. 


4.1 System model 


The framework of a blockchain-based self-tallying voting 
protocol for a decentralized IoT system is shown in Fig. 
There are three roles in the system, namely smart devices, a 
gateway and a blockchain. The IoT system is equipped with a 
number of smart devices, which are regarded as voting devices. 
A blockchain is leveraged to achieve a P2P overlay network and 
can also fulfill device management and a bulletin board. 
Each device needs to register when they first enroll in the 
system and cast ballots through the gateway to the blockahin. 
After collecting the ballots from the blockchain, the results can 
be obtained immediately to make decisions for the whole IoT 
system. Note that, the blockchain leveraged in the model can 
be a private blockchain or a consortium blockchain (according 
to different voting scenarios) rather than a public blockchain, 
which enjoys efficient consensus in practice, like practical 
byzantine fault tolerance (PBFT) . We can also designate a 
block generator to generate new blocks if a private blockchain 
is suitable for the application. We also note that the security 
of blockchain in our voting system matters a lot, which is the 
foundation of the security of the whole system. Blockchain also 
plays an important role in the security guarantee of the voting 
protocol. 


4 
O Blockechain o OS 
| l 
l 
| l 
Transactions Transactions 
Gateway 


Fig. 2. The framework of the blockchain-based self-tallying voting sys- 
tem 


4.2 System components 


Suppose there are n voting devices in the system denoted 
as voter V;, where i is the counting variable from 1 to n. We 
denote z; a variable x for the voter V; and {z; }ien the set of all 
the variables for each voter V;. A blockchain-based self-tallying 
voting system in decentralized IoT consists of the following 
algorithms. 

Setup(k,n) — (ski, pki). This is a probabilistic algorithm 
that takes a security parameter k and the number of voters n as 
input and outputs the private and public key pair (ski, pki) for 
each voter V;. 

Commit(v;, {pkj }(j4i,jen)) > (Ci). This algorithm is run 
by each voter V;. On input a vote v; and all the other voters 
V;’s public key {pkj}(;4,), it outputs a commitment C; and a 
corresponding zero-knowledge proof. C; and the proof will be 
published on the blockchain. 

Vote(u;, ski, {pkj}(j4i,jen)) ~> (Vi). This algorithm is run 
by each voter V;. On input a vote v;, the private key ski, and 
the other voter V;’s public key {pk;}(j4i,jen), it outputs a ballot 
V; and a zero-knowledge proof to prove the ballot is in the right 
form (a.k.a. follow the protocol), and publishes V; and the proof 
on the blockchain. 

Tally ({Vi}(ien)) > (Result). This is a deterministic algo- 
rithm that takes all the ballots {Vi}(ien) as input, and outputs 
the election result Result. 

Recover({sk;}(j4i,jen), {Ci} (ien)) — (vi). This algorithm 
is to recover the abortive voter’s vote. On input the abortive 
voter’s commitment C; and all the other voters’ private key 
{skj}(j4i,jen), it outputs the abortive voter’s vote 1. 


4.3 Attack model 


We consider two types of adversaries in our system: the 
passive adversaries and the active adversaries. The passive 
adversaries would not actively involve in the voting process, 
but only eavesdrop from the communication channel and/or 
the blockchain, trying to get the knowledge of the ballots. 
Active adversaries could actively hinder or manipulate the 
voting, and can abort before the voting finishes or collude with 
other voters to get more information about the ballots. 


4.4 Security requirements 


A self-tallying protocol is supposed to satisfy the following 
four security requirements against the attack model defined 
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above, in which the first one is to resist passive adversaries 
and the other three are against active adversaries. 


e Maximal ballot secrecy. A partial tally of the ballots can 
be accessed only by collusion of all remaining voters. 

e Self-tallying. After all the voters cast their ballots, any- 
one is able to compute the voting results with all the 
ballots. 


e Fairness. Fairness means that nobody has the priority 
to get a partial tally ahead of schedule. Self-tallying 
protocols always suffer from fairness issues, including 
abortive issues and adaptive issues. Abortive issues 
indicate that some of the users refuse to reveal their 
votes and abort before casting their ballots, then the final 
results won't be revealed. Adaptive issues state that the 
last voter has the priority to know the final results in 
advance, which may affect his choice or make him abort, 
causing an abortive issue. 

e Dispute-freeness. This property states that anyone can 
check whether the voters follow the protocol or not. This 
is an extension of universal verifiability. 


4.5 Security model 


In this section, we formalize the security model for maximal 
ballot secrecy. 

Suppose there are maximal n — 2 corrupted voters in the 
maximal ballot secrecy game, who are fully controlled by the 
adversary, since n — 1 collusive voters can easily get the infor- 
mation of the last voter according to the final result in the game. 
The adversary can make queries to the commitments as well as 
the corrupted users’ ballots, and also get the final result of the 
election. And later in the challenge phase, given two ballots 
from different votes {0,1} for the two uncorrupted voters, the 
adversary needs to tell which of the two ballots is from the vote 
1. The detailed security model between a challenger C and an 
adversary A is as follows. 

Maximal ballot secrecy (MBS): We say a self-tallying voting 
scheme is MBS-secure, if no polynomially bounded adversary 
A has a non-negligible advantage against a challenger C in the 
following game. 

Initial. There are n voters in the game. A declares two 
target voters Vs, Vi to be challenged upon. The other voters are 
regarded as corrupted users, whose votes are all controlled by 
A. C randomly chooses V, from {V;, V+} and set the vote of V, 
as 1, and the other voter’s vote as 0. 

Setup. C generates the private and public key pairs for each 
voter. Then C forwards all the public keys and the corrupted 
users’ private keys to A. 

Queries. A can choose any ballots for the corrupted users 
and make some queries including the Commit queries and the 
Vote queries corresponding to the chosen ballots. 


e Commit queries. A can query the commitment for a 
vote. Then C generates the commitment and records the 
ballot and the commitment in the list Le. 

e Vote queries. A can make queries on the votes generated 
by any user other than V;, V;. 


Challenge. C outputs two challenge ballots on behalf of the 
uncorrupted voters V, and V; chosen in the Initial phase. 

Tally. A computes the final result of the election according 
to the collected ballots. 

Guess. A outputs a guess guess to determine which one 
between V; and V; has cast the ballot of 1. 


In the above model, the reason we set two challenge ballots 
rather than one is to prevent the adversary deducing the 
challenged vote from his known information. Specifically, the 
adversary can control the ballots of the corrupted voters and 
obtain the election result after collecting the challenge vote, if 


5 


there is only a single challenge vote, the adversary can have a 
non-negligible advantage in the guessing game. After collecting 
the votes together, the adversary can do the tallying by itself 
to know the election result. To see why we set the different 
ballots for the two challenge votes, let’s suppose the following 
situation. If we set the challenge vote with the same ballot from 
{0, 1}, and all the corrupted voters controlled by the adversary 
vote the same ballot, then the adversary can get the knowledge 
about the challenge vote easily after knowing the results, in 
which the advantage € is non-negligible. 


Definition 1. The voting scheme is MBS secure if for any 
polynomial-time adversary, 


|Pr[guess = Vi] — 1/2| < €, 


where e€ is negligible. 


5 CONSTRUCTION 


In this section, we present a concrete construction of the 
self-tallying voting system assisted by blockchain. As shown in 
Fig.|3| the system contains three phases, Pre-vote phase, which 
includes Setup and Commit algorithms, Vote phase, which in- 
cludes Vote algorithm, and After-vote phase, which includes 
Tally and Recover algorithms. In Pre-vote phase, the system 
is initialized and the voters register to obtain their private- 
public key pairs. Voters put their public keys together with 
the zero-knowledge proofs for the corresponding private keys 
on the blockchain. Commit is to ensure fairness. If voters skip 
the commit part and cast their ballots directly, the last voter 
has the priority to access the final result ahead of schedule. 
In this phase, other voters cannot see the vote but only the 
commitment of the vote, thus, the voters need zero-knowledge 
proofs to prove the committed vote is in the right form (follow 
the protocol). Later, if the last voter refuses to vote, other 
voters can recover the ballot according to commitment and 
get the result. In Vote phase, the voters cast their encrypted 
ballots. In After-vote phase, by collecting all the ballots from the 
blockchain, the final result can be obtained publicly. Recover is 
optional which is called when the last voter does not follow 
the rules to cast his/her ballot. The ballot of the last voter 
can be recovered with the corresponding commitment and the 
assistance of all the other voters. 


comma 
Setup ae a 


Pk, proof 


Fig. 3. The workflow of the blockchain-based self-tallying voting system. 


5.1 Dealing with abortive issues 


Basic idea. The existing approaches to deal with the 
abortive issue are adding a recovery phase, in which the 
abortive users are excluded by removing their ballots, and tal- 
lying the ballots from the remaining voters. However, an abort 
may be caused by some user who knows the unwanted result 
and is against revealing the result. So, simply removing the 
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votes might lead to a different voting result. Thus, we modify 
the recovery phase in [19]. In our modification, if the last voter 
quits after making a commitment, then his/her ballot can be 
revealed according to the corresponding commitment with the 
cooperation of all the other voters. The detailed construction is 
as follows. 


Setup(k,n) > (xi, yi). On input a security parameter k, and 
the number of voters n, it initializes the system by choosing 
two large prime p and q, where q is the divisor of p — 1. 
Z, is a cyclic group modular p and Z, is the subgroup of 
order q. Each voter V; chooses a random private key x; € Zj, 
and computes the public key g*'. Then V; generates a zero- 
knowledge proof as ZKPoKi{(2;) : yi = g” }(cf. Fig. f}. The 
public key and the corresponding zero-knowledge proof are 
published to blockchain. 


Prover Verifier 
Wi ER Zq 
ai = g™ 
Qi 
—~ 
ei 
< ei ER Za 
Ti = Wi — TiCi 
Ti 
— 
üy = gy ey 


Fig. 4. Zero-knowledge proof for Setup 


Commit(vi, {y;}G4i,jen)) + (Ci). Before casting a ballot, 


each voter V; collects the other voters’ public key y;(;;). To 


generate a commitment to the vote, V; chooses a random p; 
and publishes 8; = g”. V; makes the commitment C; = g” Y;”? 
to ensure fairness, where v; is the vote from {0,1} and Y; = 
[[j1,;4: Yy- The voters also need to generate a zero-knowledge 
Bias to prove that the commitment is in the right form (cf. Fig. 
as 


ZK PoKa{(p:) : (Ci = Yi? V Ci = 9 Yi”) A Bi = 9}. 


And then the commitment and zero-knowledge proof are put 
on the blockchain. 

Vote(vi, £i, {Yj }jzijen)) > (Vi). To ensure the secrecy of 
the vote, all voters encrypt their votes as Vi = h;”'g", where 
hy = M ys/ II}-i+1 ys- A zero-knowledge proof is generated 
to prove that the vote v; is the same as the one committed in 
the commitment. The statement (cf. Fig. [6} is as follows. 


ZK PoK3{(a, pi): (Ci = Yi” AV; = hi? Ayi = g” Abi = g”) 
V(Ci = g: Yi” A Vi = g: hi” Ayi = g™ A Bi = g“ )}. 
Then publish the ballot on the blockchain. 


Tally({Vi}uen)) —> (Result). To tally the votes, one col- 
lects all the ballots and computes [[;—_; Vi = Ih; hg” = 
gui=1", As X; vs is within a small set, the result Result can 
be easily obtained in a brute-force manner. 


Recover({2x;}(j4i,jen), {Ci}ien) > (vi). If the last voter V; 
does not cast his ballot in Vote phase, then each of the remaining 
voters V;(1 < j < n,j 4 i) publish a recover factor for V; as 
Rij = yj” = p:i together with a zero-knowledge proof to 
prove that it is in the right form (cf. Fig. f}. The value of g”* can 
be computed as g” = Oil jar 548 Rij = Cif Tyan ss yy” 
Then the value of v; is easy to get as there are only two 
candidates. 

To compute 
each remaining 


the 
hj, 


election, 
where 


result of 
publishes 


the final 
voter Vj 
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hy = Thhejar eee Y/ I Zi riy and a ZKPoK to prove 
the knowledge of x; as in Fig.|4| Now everyone can compute 
the result of the remaining voters as guiti’) = Iji hg Vi. 
So the final result of this election is $`; vj + vi. 

We note that the proofs in nepa Fig. 6l are three-move 
interactive protocols with the techniques in 32ļ, which can 
be transformed into non-interactive protocols following Fiat- 
Shamir’s heuristics by setting e to be a hash value of a 
secure hash function. 


5.2 Dealing with adaptive issues 


The adaptive issues seem inevitable in self-tallying pro- 
tocols from its definition because the last voter holding the 
ballot has the priority to access the final results ahead of the 
other voters. We suggest using time-locked primitives 
to deal with the adaptive issues in voting systems. Time-loc 
encryption allows users to get the results only after a certain 
tine [24] . Once the deadline is passed, the decryption can 
be performed immediately. It is stated in that time-locked 
encryption can be achieved by using witness encryption with 
blockchain as the computational reference clock. We borrow 
this idea in our protocol by encrypting the vote with witness 
encryption and the witness can be produced by blockchain 
after a certain time. And the blockchain can also act as the 
computational reference clock to measure the “certain” time, 
say after generating certain blocks. Then the votes can be 
decrypted once the deadline is passed and thus all the voters 
and observers can do the tallying to obtain the voting result 
simultaneously. 


6 SECURITY PROOF 


In this section, we show that the proposed protocol satisfies 
all the security requirements presented in Sec {i 


Firstly, we show that the zero-knowledge proofs of knowl- 
edge in Fig. [4] Fig. Sk Fig. [6] satisfy completeness, spe- 
cial soundness F and honest verifier zero-knowledge 
(HVZK). We show the detailed proof of Fig.|5|as an example 
and omit the proofs in other figures, since the proofs are quite 
similar. 


Theorem 1. The zero-knowledge proof in Fig. satis- 
fies completeness, special soundness and honest verifier zero- 
knowledge. 


Proof. We omit the proof for completeness as it’s straightfor- 
ward to verify. 

The witness for the statement in ZK Pok2 is pi. To prove 
special soundness, the goal is to extract a witness from the 
three-move interaction with two accepting conversations in 
polynomial time. Given the two accepting conversations with 
the same values in the first round, different random numbers in 
the second round and different responses in the third round as 
(ar, a2, bi, b2, €,€1, €2,11,12) and (a1, a2, bı, ba, e,e4, €5,71,72), 
it can be checked easily that one of the following holds 

f / 1 $ T 1 
pi = (rı — r1)/(e1 — e1) or p; = (r2 — r2)/(e2 — e2). 

To prove HVZK, assume there exists a simulator S, who 
is given a random e. It randomly chooses r1, r2, e1, e2, where 
e = e, + e2, and computes the conversation as (Y;"'C;*!, 
Yi"? Ci/g, 9"! Bio! g? Bi? , e, €1, e2, r1, r2), Which is an accept- 
ing conversation. It is indistinguishable from the one generated 
by the honest prover. 


Next, we prove the proposed scheme is MBS secure if 
ZKPoK is zero-knowledge and the DDH assumption holds. 

Theorem 2. If there exists an adversary that can win the 
guessing game in the MBS security model with a non-negligible 
advantage, then we can build an algorithm 6 that can break the 
zero-knowledge of the ZKPoK and the DDH problem. 
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Fig. 6. Zero-knowledge proof of knowledge for Vote 
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Proof. Suppose there are n voters Vi,--: , Vn in the game. 
The challenger C can interact with the adversary A. We list a 
sequence of games Sls prove Theorem 2. We denote Pr[Win;] 
as the winning probability of an adversary (output a correct 
guess) in Game;. 


Game 0: This is the original Game defined in section [4.5] A 
chooses two target voters Vs, V; to challenge upon and forwards 
them to C. C tosses a coin to decide that one of the voters from 
{V;, Vi} votes 1 and the other one votes 0. The reason that we 
do in this way is to let A knows nothing even from the tally 
result. The one who votes 1 is denoted by V*. The challenges 
are denoted as {C3,7;,V,} and {Cy, 77, Vii}, where C% is the 
commitment of the vote, 7; represents all the ZKPoK in the 
scheme, Vý is the ballot, k € {s,t}. The adversary outputs a 
guess guess, then from the definition of the MBS game, we 
have 

Pr[Wino] = Pr[guess = VJ. 


Game 1. Game 1 is the same as Game 0 with one difference. 
C runs a simulator S as in Theorem 1., and replaces all the zero- 
knowledge proofs (73,7;) with the simulated proofs (7, 7’) 
without using the real witness. The setting is indistinguishable 
from A’s view. If A can distinguish between the two settings 
in Game 0 and Game 1 with a non-negligible advantage, 
then we can use the adversary to construct an algorithm 6 
to violate Zero-Knowledge of ZKPoK. Thus, the adversary’s 
winning probability in Game 1 satisfies the following equation. 


| Pr[Win:] = Pr[Wino]| < EZK 


Game 2. Game 2 is the same as Game 1 with one difference. 
C replaces the commitment C3 with a random number C's. 
The two settings are indistinguishable from A’s view. Specif- 
ically, C generates private and public key pairs for the voters 
other than {V;, V+}. Then set the public key for V; as g*, Bs 
as g, RE {g@,9"}, where r is a random number. C sets 
C; = g R- (g)> =ni 7i Clearly, if there is a difference in the 
adversary’s winning probability between Game 1 and Game 2, 
we can use the adversary to construct an algorithm B to violate 
DDH problem. Thus, the adversary’s winning probability in 
Game 2 satisfies the following equation. 


| Pr[Win2] = Pr[Wina]| < EDDH 


Game 3. Game 3 is the same as Game 2 with one difference. 
C replaces the commitment C¥ with some random number C;. 
Following the same analysis as in the previous game, C sets 
the public key of V, as g°, b+ as 9°, R € {9 g} where 
r is a random number. C sets C; = g*R- (g?) > Enis i, 
If there is a difference in the adversary’s winning probability 
between Game 2 and Game 3, we can use the adversary to 
construct an algorithm 8 that violates the DDH problem. Thus, 
the adversary’s winning probability in Game 3 satisfies the 
following equation. 


| Pr[Wins] = Pr[Wing]| < E€EDDH 


Game 4. Game 4 is the same as Game 3 with one difference. 
C changes the values of V,", V;* with two random elements Vý 
and V; satisfying a certain relation. The change is indistin- 
guishable from A’s view under the DDH assumption. Wlog, 
we assume s < t. Given the DDH instance (A = g*, B = 9°, C) 
where C € {g°%*,g"}, C sets the public key of V; and V, as 
A = g° and B = gq’ respectively. C computes V; and V’ as 


Vs=g" A/C, Vi=g"B'C 


where 
1 ej j=t41 Tj 


At = AX} si -Ejs 


s—1 t—1 
B' = BY 1%jtd5 R 


— n 4 
1” bjt a 
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Thus, V; and Vý are two random elements satisfying V; = 
gA'B'/V{. Clearly, if there is a non-negligible difference in the 
adversary’s winning probability between Game 3 and Game 4, 
we can use the adversary to construct an algorithm B to solve 
DDH problem. Thus, the adversary’s winning probability in 
Game 4 satisfies the following equation. 


| Pr[Wina] a Pr[Wins]| < EDDH 


Wrapping up. The winning probability for A in Game 4 to 
output a correct guess is 1/2 because in this game the challenges 
contain only random numbers, which are independent of the 
votes vs, vs. Therefore, we can conclude that there is only a 
negligible difference in winning probability for an adversary 
between Game 0 and Game 4, if all the ZKPoKs in the 
scheme are zero-knowledge and DDH assumption holds. So 
the probability that A wins the MBS game is 4 + e, where 
€=€zK + 3€ppH. 


Now, we show that the scheme satisfies fairness, self tally- 
ing and dispute freeness as well. 


Fairness. Suppose voter V; votes for v; in the Commit phase 
and refuses to provide the vote in the Vote phase. Due to the 
Soundness of ZKPoK, we can guarantee that v; is decryptable 
by other voters in the Recover phase. 


Self-tallying. The zero-knowledge proof of knowledge in 
each algorithm in the proposed protocol forces the voters to 
perform honestly according to the protocol. After all the voters 
cast their ballots, the self-tallying property is easy to verify. 
Since [[j_, h: = 0 in the Tally algorithm, the self-tallying 
property is achieved. 


Dispute freeness. To dispute freeness, again, the zero- 
knowledge proof of knowledge in each algorithm of the pro- 
posed protocol ensures that the commitments and ballots are 
generated in the right form and can be publicly verified. 


7 PERFORMANCE EVALUATION 


In this section, we first analyze the properties, the com- 
putational complexity and communication overhead of the 
proposed protocol, and then report the implementation results 
of each algorithm. We also test the gas cost of each algorithm 
on a private blockchain. 


7.1 Protocol analysis. 


A comparison among the existing self-tallying protocols is 
provided in Table [1] We focus on several main properties that 
a self-tallying voting protocol should have, including privacy, 
fairness, robustness. The number of rounds in the protocol is 
also considered in the table. From Table [1| we can see that 
our protocol satisfies all these properties. also has a good 
performance in this table, however, the efficiency is not good 
enough. 


TABLE 1 
Comparisons among the existing self-tallying e-voting 


self-tallying privacy fairness robustness rounds 
Vv v c 
J J J x n+1 
J J x x c 
v v x v c 
Our proposal JV c 


- c represents constant and n is the number of voters. 


The computation complexity analysis is provided in Table 
The parameters in Table[2|are elaborated as follows. Assume 
there are n voting machines and 1 of them aborts in the Vote 
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phase. We only count the expensive operations and ignore the 
cheap ones. exp denotes the exponentiation operation. ZKP for 
exp denotes the zero-knowledge proof to prove the knowledge 
of an exponent. ZKP for AND denotes the zero-knowledge 
proof to prove several statements about discrete logarithms are 
true simultaneously. ZKP for OR denotes the zero-knowledge 
proof to prove the 1-out-of-2 statement about discrete logarithm 
is true. We can see from the table that our proposal is more 
efficient than the first two protocols and also comparable to 
the third one. As in [17], if a voter refuses to cast his ballot, the 
voting would abort and restart the whole protocol. Our protocol 
improves the conditions by adding the Commit and Recover, 
which costs some additional computation but is acceptable. 


TABLE 2 
Computational complexity analysis 


Protocols exp ZKP for exp ZKP for AND ZKP for OR 
15) 2n+2 n+1 n 1 
4 2 1 1 
2 1 0 1 
2 1 4 2 
TABLE 3 


Communication overhead Analysis 


Recover 
@+3]Zp|+|Za| 


Setup Commit Vote 
3|Zp|+|Zq]_6|Zp|+4]Zq]_91Zp]+7/2Zq] 


Tally 
(n1) Zp| 


The communication overhead for each algorithm is ana- 
lyzed in Table |3} in which |Z,| and |Z,| represent the length 
of the element in the group Zp and Z,, respectively. 


7.2 Implementation results 


We also implement our proposal to test the time consump- 
tion of each algorithm in a variety of test environments. In 
our experiments, we first implement the protocols on a laptop 
(Fig.|7). For a better simulation of IoT devices, we then run the 
protocols on a mobile phone (Fig. [8}, which has constrained re- 
sources. Besides, Raspberry Pi is regarded as the super platform 
to build IoT projects. Thus, we also evaluate the simulations on 
a Raspberry Pi 3 Model B+ (Fig. P}. 

Environment. The running environment of the laptop is 
with Win 8 64-bit operating system and Intel Core (TM) i5-4300 
@2.49 GHz CPU with an 8 GB RAM. And the configuration of 
the phone is an Android 7.1.1 operating system with Qualcomm 
MSSM8998 @2.45 CPU (Octa-core) and a 6 GB RAM. The 
Raspberry Pi is equipped with Broadcom BCM2837B0, 1.4 GHz 
64-bit quad-core ARM Cortex-A53 CPU and 1 GB LPDDR2 
SDRAM. The operating system for the Raspberry Pi is Raspbian 
with kernel v4.14, which is the recommended operating system 
based on Debian. The projects are written in C++ language with 
Miracl library | *|under Visual Studio 2010 for the laptop and 
Android Studio compiler for the mobile phone, respectively. 
The project in Raspberry Pi is with the help of GMP library 
We test the efficiency of each algorithm with the increasing 
number of voters. The implementation results are illustrated as 
follows. 

Implementation results. In our experiment, we set the 
number of voters from 3 to 12 to test the efficiency of each 
algorithm. As we can see from the three figures (Fig PBB) the 
trend of algorithms is almost the same on each platform, but 
the magnitude is different, which shows different processing 


14. https://certivox.org/display /EXT/MIRACL. 
15. www.gmp.org. 
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capability of the three kinds of devices. The time consumption 
of all the algorithms is linear with the number of the voters, 
as the more voters in the system, the more computations are 
required for each algorithm. In the four algorithms, the most 
expensive one is Vote, as ZKPoK3 is dominant in Vote and it is 
the most complicated one among all the zero-knowledge proof- 
s, which costs 21.03 ms, 49.794 ms and 0.48 s for 12 voters on the 
laptop, the Android phone and the Raspberry Pi, respectively. 
The most efficient algorithm is Tally, which is consistent with 
our theoretical analysis, as no zero-knowledge proof is needed 
and the equation to tally the votes is the product of the voters’ 
ballot, which is linear with the number of voters. The running 
time of Tally for 12 voters is 4.076 ms, 21.714 ms, and 0.21 s 
on these three platforms. For the other two algorithms, Commit 
and Recover, the expensive zero-knowledge proofs are needed 
in these two algorithms, but are not as complicated as the one 
in Vote. The time costs for Commit on these three platforms for 
12 voters are 12.264 ms, 49.794 ms and 0.27 s respectively. When 
it comes to Recover, the time consumption is 10.2 ms, 24.8 ms 
and 0.243 s, respectively on the three platforms. 


22 T T T r r r 
= Vote : : 

20 | Commit 
——©— Recover 
—e—Tally 


Number of voters 


Fig. 7. Simulation on laptop 


50 


= Vote 
45 | —*— Commit 
—©— Recover 


Number of voters 


Fig. 8. Simulation on Android device 


7.3 Gas cost on the blockchain 


We also evaluate the algorithms with Ethereum smart con- 
tracts written in Solidity [4 on a private blockchain in a test 


16. https: / /solidity.readthedocs.io/en/v0.5.3/ 
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0.5 


—— Vote 
—*— Commit 
0.45 || —“@— Recover 
—e— Tally 


0.4 F 


3 4 5 6 7 8 9 10 1 12 
Number of voters 


Fig. 9. Simulation on Raspberry Pi 


network to test the gas_cost. The transactions are deployed 
with Ethereum wallet || with Geth server The gas cost 
of each transaction is listed in Table [4| We can see from the 
Table |4| that, for each transaction, we provide the gas cost 
as well as the corresponding ether cost and US Dollar cost, 
in which the gas price is 0.02_Ether per million gas and the 
Ether is 190 USD (Jul. 2019) Note that, the commitments, 
the encrypted ballots and the corresponding zero-knowledge 
proofs can be computed locally. We also provide smart contracts 
for the aforementioned phases that the users can call to get the 
values offline. For the online part, Register is a part of Setup, 
which is to put the public key of a user on the blockchain. 
Commit and Vote are to put the commitment and the ballots 
on the blockchain. Register, Commit and Vote all contain the 
verification of a zero-knowledge proof shown in section 
Register costs 317,614 gas, which also has several expensive 
accessing operations to the storage. Vote costs more gas than 
Commit, as the zero-knowledge proof in the former is more 
expensive than that in the latter. Tally is the cheapest one, since 
to tally the result doesn’t need zero-knowledge proofs. Besides 
that, the computation of h; and Y; costs 328,454 gas and 319,732 
gas respectively for four voters, which equals to 0.0066 ether 
and 0.0063 ether. There are more reverse operations in h; than 
those in Y;, thus the cost of h; is a little bit higher than that 
of Y;. The USD cost for each online phase is less than 1 dollar, 
which is acceptable. The offline phase, which costs 1 dollar on 
average each, is optional. 


TABLE 4 
Gas cost for each transaction 


Online Register | Commit Vote Tally 
GasCost | 157,970 67,761 116,958 49,058 
EtherCost | 0.0031 0.0013 0.0023 0.0009 
USDCost 0.589 0.247 0.437 0.171 

Offline ZKP Commit Vote OrProof 
GasCost | 317,614 | 357,151 | 222,873 | 2,377,266 
EtherCost | 0.0064 0.0071 0.0044 0.047 
USDCost 1.216 1.349 0.836 0.893 


In online phases, it is to verify the proofs in each algorithm. 
And in offline phases, it is to create a proof in the algorithms. 


17. https://wallet.ethereum.org/ 
18. https://geth.ethereum.org/downloads/ 
19. https://coinmarketcap.com/currencies/ethereum/. 
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8 CONCLUSION 


IoT is dramatically changing manufacturing and produc- 
tion in traditional enterprises, which can be combined with 
blockchain to achieve decentralized IoT. In this paper, we 
integrated blockchain-based self-tallying voting systems in de- 
centralized IoT architecture to solve the fairness issues in self- 
tallying systems with two distinct mechanisms and provide 
a concrete construction. We proved the security of the con- 
struction and also implemented it to test the efficiency of the 
proposed protocol. Future works include designing a prototype 
of the voting system and constructing a voting protocol for the 
large universe. 
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